Use graham-campbell/security-core instead of `graham-campbell/secur…

…ity`
protonemedia · Mar 14, 2024 · be2e5ba · be2e5ba
1 parent 35a20b4
commit be2e5ba
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 45 deletions.
diff --git a/composer.json b/composer.json
@@ -16,12 +16,13 @@
         }
     ],
     "require": {
-        "php": "^8.1|^8.2|^8.3",
-        "graham-campbell/security": "^11.0",
+        "php": "^8.2|^8.3",
+        "graham-campbell/security-core": "^4.0",
         "illuminate/contracts": "^10.0|^11.0",
         "spatie/laravel-package-tools": "^1.9.2"
     },
     "require-dev": {
+        "laravel/pint": "^1.14",
         "nunomaduro/collision": "^7.0|^8.0",
         "orchestra/testbench": "^8.0|^9.0",
         "pestphp/pest": "^2.0",

diff --git a/config/xss-protection.php b/config/xss-protection.php
@@ -18,4 +18,15 @@
 
         'dispatch_event_on_malicious_input' => false,
     ],
+
+    // Additional configuration for the underlying voku/anti-xss package
+    // See: https://github.com/GrahamCampbell/Laravel-Security/blob/11.1/config/security.php
+    'anti_xss' => [
+        'evil' => [
+            'attributes' => null,
+            'tags' => null,
+        ],
+
+        'replacement' => null,
+    ],
 ];
diff --git a/src/Events/MaliciousInputFound.php b/src/Events/MaliciousInputFound.php
@@ -10,7 +10,6 @@ public function __construct(
         public array $sanitizedKeys,
         public Request $originalRequest,
         public Request $sanitizedRequest
-    )
-    {
+    ) {
     }
 }
diff --git a/src/Middleware/XssCleanInput.php b/src/Middleware/XssCleanInput.php
@@ -11,20 +11,6 @@
 
 class XssCleanInput extends TransformsRequest
 {
-    /**
-     * The security instance.
-     *
-     * @var \GrahamCampbell\SecurityCore\Security
-     */
-    protected $security;
-
-    /**
-     * The Blade echo cleaner instance.
-     *
-     * @var \ProtoneMedia\LaravelXssProtection\Cleaners\BladeEchoes
-     */
-    protected $bladeEchoCleaner;
-
     /**
      * All of the registered skip callbacks.
      *
@@ -63,22 +49,20 @@ class XssCleanInput extends TransformsRequest
     /**
      * Create a new instance.
      *
-     * @param \GrahamCampbell\SecurityCore\Security $security
-     * @param \ProtoneMedia\LaravelXssProtection\Cleaners\BladeEchoes $bladeEchoCleaner
      *
      * @return void
      */
-    public function __construct(Security $security, BladeEchoes $bladeEchoCleaner)
-    {
-        $this->security         = $security;
-        $this->bladeEchoCleaner = $bladeEchoCleaner;
+    public function __construct(
+        protected Security $security,
+        protected BladeEchoes $bladeEchoCleaner
+    ) {
+        //
     }
 
     /**
      * Handle an incoming request.
      *
      * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
      * @return mixed
      */
     public function handle($request, Closure $next)
@@ -149,7 +133,7 @@ protected function transform($key, $value)
 
         $output = $this->security->clean((string) $value);
 
-        if (!$this->enabledInConfig('allow_blade_echoes')) {
+        if (! $this->enabledInConfig('allow_blade_echoes')) {
             $output = $this->bladeEchoCleaner->clean((string) $output);
         }
 
@@ -165,8 +149,7 @@ protected function transform($key, $value)
     /**
      * Returns a boolean whether an option has been enabled.
      *
-     * @param string $key
-     * @return boolean
+     * @param  string  $key
      */
     private function enabledInConfig($key): bool
     {
@@ -176,7 +159,6 @@ private function enabledInConfig($key): bool
     /**
      * Register a callback that instructs the middleware to be skipped.
      *
-     * @param  \Closure  $callback
      * @return void
      */
     public static function skipWhen(Closure $callback)
@@ -187,7 +169,6 @@ public static function skipWhen(Closure $callback)
     /**
      * Register a callback that instructs the middleware to be skipped.
      *
-     * @param  \Closure  $callback
      * @return void
      */
     public static function skipKeyWhen(Closure $callback)

diff --git a/src/ServiceProvider.php b/src/ServiceProvider.php
@@ -2,6 +2,7 @@
 
 namespace ProtoneMedia\LaravelXssProtection;
 
+use GrahamCampbell\SecurityCore\Security;
 use Spatie\LaravelPackageTools\Package;
 use Spatie\LaravelPackageTools\PackageServiceProvider;
 
@@ -18,4 +19,12 @@ public function configurePackage(Package $package): void
             ->name('laravel-xss-protection')
             ->hasConfigFile();
     }
+
+    public function packageBooted()
+    {
+        $this->app->singleton(Security::class, fn () => Security::create(
+            config('xss-protection.anti_xss.evil'),
+            config('xss-protection.anti_xss.replacement')
+        ));
+    }
 }
diff --git a/tests/MiddlewareTest.php b/tests/MiddlewareTest.php
@@ -61,10 +61,10 @@
 
 it('doesnt interfere with booleans, numbers and null values', function () {
     $request = Request::createFromGlobals()->merge([
-        'yes'  => true,
-        'no'   => false,
-        'one'  => 1,
-        'pi'   => 3.14,
+        'yes' => true,
+        'no' => false,
+        'one' => 1,
+        'pi' => 3.14,
         'null' => null,
     ]);
 
@@ -143,11 +143,11 @@ class ExceptXssCleanInput extends XssCleanInput
     }
 
     $request = Request::createFromGlobals()->merge([
-        'key'   => 'test<script>script</script>',
+        'key' => 'test<script>script</script>',
         'allow' => 'test<script>script</script>',
 
         'nested' => [
-            'key'     => 'test<script>script</script>',
+            'key' => 'test<script>script</script>',
             'allowed' => 'test<script>script</script>',
         ],
     ]);
@@ -166,12 +166,12 @@ class ExceptXssCleanInput extends XssCleanInput
 it('can trim blade echoes', function () {
     $request = Request::createFromGlobals()->merge([
         'key' => 'test',
-        'a'   => '{{ $test }}',
-        'b'   => '{!! $test !!}',
-        'c'   => '{{{ $test }}}',
-        'd'   => 'd{{ $test }}',
-        'e'   => 'e{!! $test !!}',
-        'f'   => 'f{{{ $test }}}',
+        'a' => '{{ $test }}',
+        'b' => '{!! $test !!}',
+        'c' => '{{{ $test }}}',
+        'd' => 'd{{ $test }}',
+        'e' => 'e{!! $test !!}',
+        'f' => 'f{{{ $test }}}',
     ]);
 
     config(['xss-protection.middleware.completely_replace_malicious_input' => false]);
@@ -198,11 +198,11 @@ class ExceptXssCleanInput extends XssCleanInput
     });
 
     $request = Request::createFromGlobals()->merge([
-        'key'   => 'test<script>script</script>',
+        'key' => 'test<script>script</script>',
         'allow' => 'test<script>script</script>',
 
         'nested' => [
-            'key'     => 'test<script>script</script>',
+            'key' => 'test<script>script</script>',
             'allowed' => 'test<script>script</script>',
         ],
     ]);

diff --git a/tests/TestCase.php b/tests/TestCase.php
@@ -13,7 +13,7 @@ protected function setUp(): void
         parent::setUp();
 
         Factory::guessFactoryNamesUsing(
-            fn (string $modelName) => 'ProtoneMedia\\LaravelXssProtection\\Database\\Factories\\' . class_basename($modelName) . 'Factory'
+            fn (string $modelName) => 'ProtoneMedia\\LaravelXssProtection\\Database\\Factories\\'.class_basename($modelName).'Factory'
         );
     }